OAuth2/OIDC public clients are not allowed to use the HMAC based signing algorithms (HS256, HS384 or HS512) as these are derived from the client secret, which a public client does not have. If you configure a Public client to use HS256 for id token signing then a 500 Internal Server Error is returned and a stack trace is logged with root cause
This is likely to be confusing as it doesn't say why no secret is available.
- Configure OpenID Connect in a realm
- Create an OAuth 2 client and set it as Core > Client type = Public, and set the Signing and Encryption > ID Token Signing Algorithm to HS256.
- Attempt to get an OIDC ID token using that client.
Either a validation error when trying to configure a public client with a symmetric signing algorithm or at least a sensible error message in the logs when this happens (e.g., "Cannot use HS256 signing algorithm with Public client").
A 500 Internal Server Error together with a stack trace in the logs for NoSuchSecretException.
Do not configure HMAC signing algorithms for Public clients as that is not allowed by the spec anyway. (The same probably happens if you try to configure symmetric encryption).
In the following code we just return an empty secret store if the client is confidential. At this point we know that a symmetric algorithm (for either signing or encryption) has been configured incorrectly, so we can fail immediately with an IllegalStateException or similar. Ideally we would also add validation to the client settings to prevent a client being saved with these algorithms selected if the client type is Public.